In this excerpt from Chapter 2 of Sarbanes-Oxley IT Compliance Using COBIT and Open Source Tools, authors Christian Lahti, Roderick Peterson, Steve Lanza, introduce COBIT and the standard's six components.
Sarbanes-Oxley compliance will significantly impact the IT organization of most public companies. However, there is one enormous problem: there is no specific mention of IT in Section 404, and more importantly, there are no specifics as to what controls have to be established within an IT organization to comply with Sarbanes-Oxley legislation.
If there is no specific mention in Section 404 as to what IT needs to do to comply with Sarbanes-Oxley, the logical question would be,"How can I comply with something without knowing what I need to do to comply?" Although there are various standards a company can use for defining and documenting its internal controls -- ITIL (IT Infrastructure Library), Six Sigma, and COBIT -- the majority of auditors have adopted COBIT.
ITIL is an international series of documents used to aid the implementation of a framework for IT Service Management.The intent of the framework is to define how Service Management is applied within specific organizations. Given that the framework consists of guidelines, it is agnostic of any application or platform and can therefore be applied in any organization.
In many organizations, Six Sigma simply means a measure of quality that strives for near perfection. Six Sigma is a disciplined, data-driven approach and methodology for eliminating defects (driving toward six standard deviations between the mean and the nearest specification limit) in any process—from manufacturing to transactional and from product to service.
COBIT stands for Control Objectives for Information and Related Technology. While the COBIT guidelines have been around since 1996, the guidelines and best practices have almost become the de facto standard for auditors and SOX compliance, mostly because the COBIT standards are platform independent.There are approximately 300 generic COBIT objectives, grouped under six COBIT Components. When reviewing and applying the COBIT guidelines and best practices, keep in mind that they will need to be tailored to your particular environment.
The six COBIT components
COBIT consists of six components:
- Executive Summary Explains the key concepts and principles.
- Framework Foundation for approach and COBIT elements. Organizes the process model into
-- Plan and organize
-- Acquire and implement
-- Deliver and support
-- Monitor and evaluate
- Control Objective Foundation for approach and COBIT elements. Organizes the process model into the four domains (discussed in a moment).
- Control Practices Identifies best practices and describes requirements for specific controls.
- Management Guidelines Links business and IT objectives and provides tools to improve IT performance.
- Audit Guidelines Provides guidance on how to evaluate controls, assess compliance and document risk with these characteristics:
-- Define "internal controls" over financial reporting
-- Internally test and assess these controls
-- Support external audits of controls
-- Document compliance efforts
-- Report any significant deficiencies or material weaknesses
In conclusion, although an IT organization is free to select any predefined standards, or even one they develop to assist them in obtaining Sarbanes-Oxley compliance, the mostly widely accepted standard is COBIT. Subsequently, you may find that selecting COBIT will be the path of least resistance to Sarbanes-Oxley compliance.
Read the rest of Chapter 2, SOX and COBIT defined
This was first published in December 2005